Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Date: Thu Jan 03 2002 - 08:04:17 CST
could it be, that the text-browsers (lynx, links, w3m) don't even
bother comparing the actual server name to the certificate's
"issued for" entry?
I just tested these and none complained:
- lynx 2.8.5dev.2 (with OpenSSL 0.9.6a)
- links 0.96
- w3m 0.1.11-pre
(all on Mandrake Linux 8.1)
Neither did any of them complain when accessing a https web page
with a self-made certificate.
> Looks like Konqueror 2.2.1 (Mandrake Linux 8.1 + OpenSSL 0.9.6b) is also
> vulnerable. I've got no warning when entering on this page. I've tested it
> also with lynx 2.8.4rel.1 (compiled with OpenSSL 0.9.6a on FreeBSD) with
> same result.
> * Fido: 2:480/124 ** WWW: http://www.frasunek.com/ **
> NIC-HDL: PMF9-RIPE *
> * Inet: przemyslawfrasunek.com ** PGP:
> D48684904685DF43EA93AFA13BE170BF *